Graphic 1 : Average difference in cost of data breaches
When remote working was a factor in causing the breach , costs were an average of nearly $ 1 million greater than in breaches where remote working was not a factor —$ 4.99 million versus $ 4.02 million . Remote work-related breaches cost on average about $ 600,000 more compared to the global average .
Average difference in cost where remote work was a factor in causing the breach versus when it was not a factor .
Source : IBM 4
And , of course , these risks are on top of the risks that your organization will still face in the office , such as zero-day exploits , inside threats and potential third-party exposure of data .
Managing risk or walking the line ? The ultimate tricky question then is : “ What can be done ?”
In a “ perfect ” world , we would be able to set certain requirements for home networks , giving organizations control over firewall settings and password requirements for Wi-Fi networks as well as the ability to push software updates and to remotely shut off remote devices , making the data unrecoverable by malicious actors . Of course , if we are talking about home networks , this may not be legal , let alone feasible .
The legality of an organization requiring remote employees to use certain security practices on their home network will depend on the specific circumstances and applicable laws . While , generally , an organization has the right to implement security measures to protect its confidential information and intellectual property , there are often limitations on what an organization can require of remote employees , particularly if the employees are using their personal devices or home network . For example , there may be privacy laws that limit the types of security measures an organization can require on a personal device .
As you can probably see , this line of thinking can be a bit of a bottomless pit and may not bear risk management fruits proportionate to the amount of overhead that would be involved in researching local privacy laws , rewriting employment agreements and monitoring / enforcing security requirements on private devices .
As such , a better option may be to bypass this line of thinking and simply issue company devices . With employment agreements , acceptable use policies and the ability to have your IT department set up devices prior to usage , company-issued devices offer a number of clear advantages over simply allowing employees to use their own home devices . Company-issued laptops or tablets can be issued with remote shut-off capabilities , automatic backup services and monitoring software that allows your IT department to determine whether users are allowing their devices to update regularly .
In addition , software and operating system policies can be set to enforce password requirements , firewall configurations and software installation privileges . Devices can be “ forced ” to connect to company servers exclusively through a secure VPN , and devices can even be set to never be discoverable , even on private networks . Graphic 2 shows how VPNs protect user information when accessing the internet .
ACAMS Today June – August 2023 27